Warn
Audited by Gen Agent Trust Hub on Mar 19, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [EXTERNAL_DOWNLOADS]: The documentation (docs/pdf_to_word_conversion_guide.md) instructs the agent to perform runtime installations of external packages 'pdf2docx' and 'PyMuPDF'. Additionally, docs/forms.md references a 'scripts/' directory containing several automation scripts (e.g., 'extract_form_field_info.py', 'fill_fillable_fields.py') that are not included in the provided skill package, making their implementation and behavior unverifiable.\n- [COMMAND_EXECUTION]: The skill documentation (docs/pdf_to_word_conversion_guide.md) explicitly guides the agent to write a custom Python script to disk, execute it using 'python3', and then delete it. This dynamic script generation and execution pattern is a medium risk. Furthermore, the skill relies heavily on shell-based utilities like 'qpdf', 'pdftotext', and 'pdftk', which can be vulnerable to command injection if user-provided filenames or PDF metadata are not sanitized before being passed to the shell.\n- [PROMPT_INJECTION]: The skill is highly vulnerable to indirect prompt injection (Category 8). 1. Ingestion points: Untrusted PDF files provided by users or external sources (SKILL.md, docs/SKILL.md). 2. Boundary markers: No delimiters or instructions to ignore embedded commands are provided. 3. Capability inventory: The skill possesses significant capabilities including writing files, executing shell commands, and installing packages. 4. Sanitization: There is no evidence of sanitization or validation of the content extracted from PDFs before it is used in subsequent operations.
Audit Metadata